NAV Navigation

OKMS API 2014-11-01

The Outscale Key Management Service (OKMS) API enables you to manage your cryptographic keys and make cryptographic operations in the 3DS OUTSCALE Cloud.
It is compliant with the Key Management Service (KMS) API of Amazon Web Services (AWS). See the AWS Compatibility Matrix.

Authentication: About Signatures of API Requests
Throttling: If you exceed the number of identical requests allowed for a configured time period, a Throttling error message is returned.

Base URLs:

Terms of service Email: Support License: BSD 3 Clause

Authentication

Customer Master Keys

CancelKeyDeletion

GET /CancelKeyDeletion

Cancels the deletion of a customer master key (CMK) that is scheduled for deletion.
If the request succeeds, the state of the CMK becomes Disabled.

Parameters

Parameter In Type Required Description
KeyId body string false The ID of the CMK.

Body parameter

{
  "KeyId": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). CancelKeyDeletionResponse

Example responses

200 Response

{
  "KeyId": "string"
}

CreateKey

GET /CreateKey

Creates a customer master key (CMK).
For example with OSC CLI:
osc-cli okms CreateKey \
  --Description DESCRIPTION \
  --Tags '[{"TagKey": "AAAA", "TagValue": "BBBB"}, {"TagKey": "CCCC", "TagValue": "DDDD"}]'

[NOTE]
By default, your account has a quota of 20 CMKs.

Parameters

Parameter In Type Required Description
Description body string false A description for the CMK, between 0 and 8192 Unicode characters.
KeyUsage body string false The intended use of the CMK. By default, ENCRYPT_DECRYPT, which is the only valid value.
Origin body string false The source of the key material for the CMK. By default, OKMS, which is the only valid value.
Tags body string false One or more tags you want to associate with the CMK.

Detailed descriptions

Tags: One or more tags you want to associate with the CMK.
A tag key can contain between 1 and 128 characters.
A tag value can contain between 0 and 256 characters.

Body parameter

{
  "Description": "string",
  "KeyUsage": "string",
  "Origin": "string",
  "Tags": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). CreateKeyResponse

Example responses

200 Response

{
  "KeyMetadata": {
    "AWSAccountId": "string",
    "Arn": "string",
    "CreationDate": "string",
    "DeletionDate": "string",
    "Description": "string",
    "Enabled": true,
    "KeyId": "string",
    "KeyManager": "string",
    "KeyState": "string",
    "KeyUsage": "string",
    "Origin": "string"
  },
  "requestId": "string"
}

Decrypt

GET /Decrypt

Decrypts ciphertext into plaintext.

Parameters

Parameter In Type Required Description
CiphertextBlob body string true The ciphertext you want to decrypt.
EncryptionContext body EncryptionContext false A context for the encryption, in the form of one or more '{"string": "string"}' pairs.

Detailed descriptions

EncryptionContext: A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
When decrypting the data, you must specify the same context that was specified during encryption (if any), or the decryption will fail.

Body parameter

{
  "CiphertextBlob": "string",
  "EncryptionContext": {}
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). DecryptResponse

Example responses

200 Response

{
  "KeyId": "string",
  "Plaintext": "string"
}

DescribeKey

GET /DescribeKey

Describes a Customer Master Key (CMK).

Parameters

Parameter In Type Required Description
KeyId body string true The ID of the CMK.

Body parameter

{
  "KeyId": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). DescribeKeyResponse

Example responses

200 Response

{
  "KeyMetadata": {
    "AWSAccountId": "string",
    "Arn": "string",
    "CreationDate": "string",
    "DeletionDate": "string",
    "Description": "string",
    "Enabled": true,
    "KeyId": "string",
    "KeyManager": "string",
    "KeyState": "string",
    "KeyUsage": "string",
    "Origin": "string"
  }
}

DisableKey

GET /DisableKey

Sets the state of a Customer Master Key (CMK) to Disabled. You cannot perform operations with a disabled CMK.

Parameters

Parameter In Type Required Description
KeyId body string false The ID of the CMK.

Body parameter

{
  "KeyId": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). DisableKeyResponse

Example responses

200 Response

{}

EnableKey

GET /EnableKey

Sets the state of a Customer Master Key (CMK) to Enabled.

Parameters

Parameter In Type Required Description
KeyId body string false The ID of the CMK.

Body parameter

{
  "KeyId": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). EnableKeyResponse

Example responses

200 Response

{}

Encrypt

GET /Encrypt

Encrypts plaintext into ciphertext using a Customer Master Key (CMK).

Parameters

Parameter In Type Required Description
EncryptionContext body EncryptionContext false A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
KeyId body string true The ID of the CMK.
Plaintext body string true The plaintext you want to encrypt, encoded in base64.

Detailed descriptions

EncryptionContext: A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
When decrypting the data, you must specify the same context that was specified during encryption (if any), or the decryption will fail.

Plaintext: The plaintext you want to encrypt, encoded in base64.
This base64-encoded plaintext must contain between 1 and 4096 characters.

Body parameter

{
  "EncryptionContext": {},
  "KeyId": "string",
  "Plaintext": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). EncryptResponse

Example responses

200 Response

{
  "CiphertextBlob": "string",
  "KeyId": "string"
}

GenerateDataKey

GET /GenerateDataKey

Generates a data key using a Customer Master Key (CMK).
This method returns the data in both encrypted form and decrypted form.

Parameters

Parameter In Type Required Description
EncryptionContext body EncryptionContext false A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
KeyId body string false The ID of the CMK.
KeySpec body string false The length of the data key you want to generate, in the AES standard: AES_128 for a length of 128 bits (16 bytes), or AES_256 for a length of 256 bits (32 bytes).
NumberOfBytes body integer false The length of the data key you want to generate, in bytes (between 1 and 1024).

Detailed descriptions

EncryptionContext: A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
When decrypting the data, you must specify the same context that was specified during encryption (if any), or the decryption will fail.

KeySpec: The length of the data key you want to generate, in the AES standard: AES_128 for a length of 128 bits (16 bytes), or AES_256 for a length of 256 bits (32 bytes).
You must specify either this parameter or the NumberOfBytes parameter.

NumberOfBytes: The length of the data key you want to generate, in bytes (between 1 and 1024).
You must specify either this parameter or the KeySpec parameter.

Body parameter

{
  "EncryptionContext": {},
  "KeyId": "string",
  "KeySpec": "string",
  "NumberOfBytes": 0
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). GenerateDataKeyResponse

Example responses

200 Response

{
  "CiphertextBlob": "string",
  "KeyId": "string",
  "Plaintext": "string"
}

GenerateDataKeyWithoutPlaintext

GET /GenerateDataKeyWithoutPlaintext

Generates a data key using a Customer Master Key (CMK).
This method returns the encrypted data key only, not its decrypted form.

Parameters

Parameter In Type Required Description
EncryptionContext body EncryptionContext false A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
KeyId body string false The ID of the CMK.
KeySpec body string false The length of the data key you want to generate, in the AES standard: AES_128 for a length of 128 bits (16 bytes), or AES_256 for a length of 256 bits (32 bytes).
NumberOfBytes body integer false The length of the data key you want to generate, in bytes (between 1 and 1024).

Detailed descriptions

EncryptionContext: A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
When decrypting the data, you must specify the same context that was specified during encryption (if any), or the decryption will fail.

KeySpec: The length of the data key you want to generate, in the AES standard: AES_128 for a length of 128 bits (16 bytes), or AES_256 for a length of 256 bits (32 bytes).
You must specify either this parameter or the NumberOfBytes parameter.

NumberOfBytes: The length of the data key you want to generate, in bytes (between 1 and 1024).
You must specify either this parameter or the KeySpec parameter.

Body parameter

{
  "EncryptionContext": {},
  "KeyId": "string",
  "KeySpec": "string",
  "NumberOfBytes": 0
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). GenerateDataKeyWithoutPlaintextResponse

Example responses

200 Response

{
  "CiphertextBlob": "string",
  "KeyId": "string"
}

ListKeys

GET /ListKeys

Lists your Customer Master Keys (CMKs).

Body parameter

{}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). ListKeysResponse

Example responses

200 Response

{
  "Keys": [
    {
      "KeyArn": "string",
      "KeyId": "string"
    }
  ]
}

ScheduleKeyDeletion

GET /ScheduleKeyDeletion

Schedules the deletion of a customer master key (CMK).
If the request succeeds, the state of the CMK becomes PendingDeletion and the CMK is deleted at the end of a waiting period.

[NOTE]

Parameters

Parameter In Type Required Description
KeyId body string true The ID of the CMK.
PendingWindowInDays body integer false The waiting period before deletion, in days (between 7 and 30). By default, 30.

Body parameter

{
  "KeyId": "string",
  "PendingWindowInDays": 0
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). ScheduleKeyDeletionResponse

Example responses

200 Response

{
  "DeletionDate": "string",
  "KeyId": "string"
}

UpdateKeyDescription

GET /UpdateKeyDescription

Updates the description of a Customer Master Key (CMK).

Parameters

Parameter In Type Required Description
Description body string true The new description for the CMK, between 0 and 8192 Unicode characters.
KeyId body string true The ID of the CMK.

Body parameter

{
  "Description": "string",
  "KeyId": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). UpdateKeyDescriptionResponse

Example responses

200 Response

{}

Tags

ListResourceTags

GET /ListResourceTags

Lists the tags associated with a customer master key (CMK).

Parameters

Parameter In Type Required Description
KeyId body string false The ID of the CMK.

Body parameter

{
  "KeyId": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). ListResourceTagsResponse

Example responses

200 Response

{
  "Tags": [
    {
      "TagKey": "string",
      "TagValue": "string"
    }
  ]
}

TagResource

GET /TagResource

Adds one or more tags to a customer master key (CMK).
If a tag with the same key already exists for the CMK, the tag value is replaced.
For example with OSC CLI:
osc-cli okms TagResource \
  --KeyId cmk-12345678 \
  --Tags '[{"TagKey": "AAAA", "TagValue": "BBBB"}, {"TagKey": "CCCC", "TagValue": "DDDD"}]'

Parameters

Parameter In Type Required Description
KeyId body string true The ID of the CMK.
Tags body string true One or more tags you want to add to the CMK.

Detailed descriptions

Tags: One or more tags you want to add to the CMK.
A tag key can contain between 1 and 128 characters.
A tag value can contain between 0 and 256 characters.

Body parameter

{
  "KeyId": "string",
  "Tags": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). TagResourceResponse

Example responses

200 Response

{}

UntagResource

GET /UntagResource

Deletes one or more tags from a customer master key (CMK).
For example with OSC CLI:
osc-cli okms UntagResource \
  --KeyId cmk-12345678 \
  --TagKeys '["AAAA", "CCCC"]'

Parameters

Parameter In Type Required Description
KeyId body string true The ID of the CMK.
TagKeys body string true One or more keys of tags you want delete from the CMK.

Body parameter

{
  "KeyId": "string",
  "TagKeys": "string"
}

Responses

Status Meaning Description Schema
200 OK The HTTP 200 response (OK). UntagResourceResponse

Example responses

200 Response

{}

Schemas

CancelKeyDeletionResponse

Properties

Name Type Required Restrictions Description
KeyId string false none The ID of the CMK.

Schema

{
  "KeyId": "string"
}

CreateKeyResponse

Properties

Name Type Required Restrictions Description
KeyMetadata KeyMetadata false none Information about the CMK.
requestId string false none The ID of the request.

Schema

{
  "KeyMetadata": {
    "AWSAccountId": "string",
    "Arn": "string",
    "CreationDate": "string",
    "DeletionDate": "string",
    "Description": "string",
    "Enabled": true,
    "KeyId": "string",
    "KeyManager": "string",
    "KeyState": "string",
    "KeyUsage": "string",
    "Origin": "string"
  },
  "requestId": "string"
}

DecryptResponse

Properties

Name Type Required Restrictions Description
KeyId string false none The ID of the CMK.
Plaintext string false none The decrypted ciphertext, encoded in base64.

Schema

{
  "KeyId": "string",
  "Plaintext": "string"
}

DescribeKeyResponse

Properties

Name Type Required Restrictions Description
KeyMetadata KeyMetadata false none Information about the CMK.

Schema

{
  "KeyMetadata": {
    "AWSAccountId": "string",
    "Arn": "string",
    "CreationDate": "string",
    "DeletionDate": "string",
    "Description": "string",
    "Enabled": true,
    "KeyId": "string",
    "KeyManager": "string",
    "KeyState": "string",
    "KeyUsage": "string",
    "Origin": "string"
  }
}

DisableKeyResponse

Properties

None

Schema

{}

EnableKeyResponse

Properties

None

Schema

{}

EncryptResponse

Properties

Name Type Required Restrictions Description
CiphertextBlob string false none The encrypted plaintext.
KeyId string false none The ID of the CMK.

Schema

{
  "CiphertextBlob": "string",
  "KeyId": "string"
}

EncryptionContext

A context for the encryption, in the form of one or more '{"string": "string"}' pairs.
When decrypting the data, you must specify the same context that was specified during encryption (if any), or the decryption will fail.

Properties

None

Schema

{}

GenerateDataKeyResponse

Properties

Name Type Required Restrictions Description
CiphertextBlob string false none The encrypted data key, encoded in base64.
KeyId string false none The ID of the CMK.
Plaintext string false none The decrypted data key, encoded in base64.

Schema

{
  "CiphertextBlob": "string",
  "KeyId": "string",
  "Plaintext": "string"
}

GenerateDataKeyWithoutPlaintextResponse

Properties

Name Type Required Restrictions Description
CiphertextBlob string false none The encrypted data key, encoded in base64.
KeyId string false none The ID of the CMK.

Schema

{
  "CiphertextBlob": "string",
  "KeyId": "string"
}

Key

Information about the CMK.

Properties

Name Type Required Restrictions Description
KeyArn string false none The Outscale Resource Name (ORN) of the CMK.
KeyId string false none The ID of the CMK.

Schema

{
  "KeyArn": "string",
  "KeyId": "string"
}

KeyMetadata

Information about the CMK.

Properties

Name Type Required Restrictions Description
AWSAccountId string false none The account ID of the owner of the CMK.
Arn string false none The Outscale Resource Name (ORN) of the CMK.
CreationDate string false none The date and time when the CMK was created.
DeletionDate string false none The date and time when the CMK will be deleted. This value exists only if KeyState is PendingDeletion.
Description string false none A description for the CMK.
Enabled boolean false none If true, the CMK is enabled. If false, it is disabled.
KeyId string false none The ID of the CMK.
KeyManager string false none The manager of the CMK (always CUSTOMER).
KeyState string false none The state of the CMK (Enabled | Disabled | PendingDeletion).
KeyUsage string false none The intended use of the CMK. The only valid value is ENCRYPT_DECRYPT.
Origin string false none The source of the key material for the CMK. The only valid value is OKMS.

Schema

{
  "AWSAccountId": "string",
  "Arn": "string",
  "CreationDate": "string",
  "DeletionDate": "string",
  "Description": "string",
  "Enabled": true,
  "KeyId": "string",
  "KeyManager": "string",
  "KeyState": "string",
  "KeyUsage": "string",
  "Origin": "string"
}

ListKeysResponse

Properties

Name Type Required Restrictions Description
Keys [Key] false none Information about one or more CMKs.

Schema

{
  "Keys": [
    {
      "KeyArn": "string",
      "KeyId": "string"
    }
  ]
}

ListResourceTagsResponse

Properties

Name Type Required Restrictions Description
Tags [Tags] false none One or more tags associated with the CMK.

Schema

{
  "Tags": [
    {
      "TagKey": "string",
      "TagValue": "string"
    }
  ]
}

ScheduleKeyDeletionResponse

Properties

Name Type Required Restrictions Description
DeletionDate string false none The date and time when the CMK will be deleted.
KeyId string false none The ID of the CMK.

Schema

{
  "DeletionDate": "string",
  "KeyId": "string"
}

TagResourceResponse

Properties

None

Schema

{}

Tags

One or more tags.

Properties

Name Type Required Restrictions Description
TagKey string false none The key of the tag, between 1 and 128 characters.
TagValue string false none The value of the tag, between 0 and 256 characters.

Schema

{
  "TagKey": "string",
  "TagValue": "string"
}

UntagResourceResponse

Properties

None

Schema

{}

UpdateKeyDescriptionResponse

Properties

None

Schema

{}

Copyright ©2020 Outscale SAS. All rights reserved